setup.py: Don’t append timestamp when run from an sdist.
This should fix some downstream build issues.

passlib.tests.test_totp: Test suite now traps additional errors that datetime.utcfromtimestamp()
may throw under python 3, which should fix some test failures on architectures with rarer ILP sizes.
It also works around Python 3.6 bug 29100.

This release includes a number of new features, cleans up
some long-standing design issues, and contains a number of internal
improvements; all part of the roadmap towards a leaner and simpler Passlib 2.0.

passlib.hash.cisco_asa –
Support for Cisco ASA 7.0 and newer hashes (issue 51).
Note: this should be considered experimental, and needs verification
of it’s test vectors.

New Modules

New passlib.totp module provides full support for TOTP tokens
on both client and server side. This module contains both low-level primitives,
and high-level helpers for persisting and tracking client state.

New passlib.pwd module added to aid in password generation.
Features support for alphanumeric passwords, or generation
of phrases using the EFF’s password generation wordlist.

All hashers which truncate passwords (e.g. bcrypt
and des_crypt) can now be configured to raise
a PasswordTruncateError when a overly-large password is provided.
This configurable via (for example) bcrypt.using(truncate_error=True).hash(secret),
or globally as an option to CryptContext (issue 59).

Cryptographic Backends

The pbkdf2_hmac() function and all PBKDF2-based
hashes have been sped up by ~20% compared to Passlib 1.6. For an even greater
speedup, it will now take advantage of the external fastpbk2
library, or stdlib’s hashlib.pbkdf2_hmac() (when available).

bcrypt: Passlib will now detect and work around
a fatal concurrency bug in py-bcrypt 0.2 and earlier
(a PasslibSecurityWarning will also be issued).
Nevertheless, users are strongly encouraged to upgrade to py-bcrypt 0.3
or another bcrypt library if you are using the
bcrypt hash.

CryptContext instances now pass contextual keywords (such as “user”)
to the hashes that support them, but ignore them for hashes that don’t (issue 63).

The passlib.apache htpasswd helpers now preserve blank lines and comments,
rather than throwing a parse error (issue 73).

As part of a long-range plan to restructure and simplify both the API and the internals of Passlib,
a number of methods have been deprecated & replaced. The eventually goal is a large cleanup
and overhaul as part of Passlib 2.0. There will be at least one more 1.x version
before Passlib 2.0, to provide a final transitional release
(see the Passlib Roadmap).

[major] The PasswordHash.encrypt() method
has been renamed to PasswordHash.hash(),
to clarify that it’s performing one-way hashing rather than reversiable encryption.
A compatibility alias will remain in place until Passlib 2.0.
This should fix the longstanding issue 21.

[major] Passing explicit configuration options to the PasswordHash.encrypt() method
(now called PasswordHash.hash()) is deprecated.
To provide settings such as rounds and salt_size, callers
should use the new PasswordHash.using()
method, which generates a new hasher with a customized configuration.
For example, instead of:

>>> sha256_crypt.encrypt("secret",rounds=12345)

... applications should now use:

>>> sha256_crypt.using(rounds=12345).hash("secret")

Support for the old syntax will be removed in Passlib 2.0.

Note

This doesn’t apply to contextual options such as cisco_pix‘s
user keyword, which should still be passed into the hash() method.

The passlib.utils.generate_secret() function has been deprecated
in favor of the new passlib.pwd module, and the old function will be removed
in Passlib 2.0.

Most of passlib’s internal cryptography helpers have been moved from
passlib.utils to passlib.crypto, and the APIs refactored.
This allowed unification of various hash management routines,
some speed ups to the HMAC and PBKDF2 primitives, and opens up the architecture
to support more optional backend libraries.

Compatibility wrappers will be kept in place at the old location until Passlib 2.0.

Some deprecations and internal changes have been made to the passlib.utils.handlers
module, which provides the common framework Passlib uses to implement hashers.

Caution

More backwards-incompatible relocations are planned for the internal
passlib.utils module in the Passlib 1.8 / 1.9 releases.